2017, Dec 19

# Exploiting Protostar Stack4

You can check previous problems here :

## Problem source code

We will work in this problem as we do not have the C source code

As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.

## Let’s have a look on what’s happening inside the app

We will start the app inside Radare2 and have a look in Visual Mode to try understanding how it’s working

We used iE to get the address of win function because we will need it later in our exploit.

So our main Goal is to override eip with 0x080483f4

This how the function looks like in Visual Mode

Now we’ll use a tool in radare’s framework called ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.

Now let’s create a new payload with the right value of eip

And we did it ;)